{"containers": {"cna": {"affected": [{"product": "Apache Hive", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "3.1.3", "status": "affected", "version": "Apache Hive", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "This vulnerability was discovered and reported by Hideyuki Furue."}], "descriptions": [{"lang": "en", "value": "Apache Hive before 3.1.3 \"CREATE\" and \"DROP\" function operations does not check for necessary authorization of involved entities in the query. It was found that an unauthorized user can manipulate an existing UDF without having the privileges to do so. This allowed unauthorized or underprivileged users to drop and recreate UDFs pointing them to new jars that could be potentially malicious."}], "metrics": [{"other": {"content": {"other": "Very Important"}, "type": "unknown"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-07-16T07:10:09.000Z", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread/oqqgnhz4c6nxsfd0xstosnk0g15f7354"}], "source": {"defect": ["HIVE-25468", ""], "discovery": "UNKNOWN"}, "title": "Apache Hive Security vulnerability in Hive with UDFs", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2021-34538", "STATE": "PUBLIC", "TITLE": "Apache Hive Security vulnerability in Hive with UDFs"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Hive", "version": {"version_data": [{"version_affected": "<", "version_name": "Apache Hive", "version_value": "3.1.3"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "credit": [{"lang": "eng", "value": "This vulnerability was discovered and reported by Hideyuki Furue."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Apache Hive before 3.1.3 \"CREATE\" and \"DROP\" function operations does not check for necessary authorization of involved entities in the query. It was found that an unauthorized user can manipulate an existing UDF without having the privileges to do so. This allowed unauthorized or underprivileged users to drop and recreate UDFs pointing them to new jars that could be potentially malicious."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": [{"other": "Very Important"}], "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-306 Missing Authentication for Critical Function"}]}]}, "references": {"reference_data": [{"name": "https://lists.apache.org/thread/oqqgnhz4c6nxsfd0xstosnk0g15f7354", "refsource": "MISC", "url": "https://lists.apache.org/thread/oqqgnhz4c6nxsfd0xstosnk0g15f7354"}]}, "source": {"defect": ["HIVE-25468", ""], "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T00:12:50.447Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lists.apache.org/thread/oqqgnhz4c6nxsfd0xstosnk0g15f7354"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2021-34538", "datePublished": "2022-07-16T07:10:09.000Z", "dateReserved": "2021-06-10T00:00:00.000Z", "dateUpdated": "2024-08-04T00:12:50.447Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:hive:*:*:*:*:*:*:*:*", "matchCriteriaId": "B25510FE-9822-4F1E-8442-A4D9349B9C30", "versionEndExcluding": "3.1.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Apache Hive before 3.1.3 \"CREATE\" and \"DROP\" function operations does not check for necessary authorization of involved entities in the query. It was found that an unauthorized user can manipulate an existing UDF without having the privileges to do so. This allowed unauthorized or underprivileged users to drop and recreate UDFs pointing them to new jars that could be potentially malicious."}, {"lang": "es", "value": "Las operaciones de funci\u00f3n \"CREATE\" y \"DROP\" de Apache Hive versiones anteriores a 3.1.3, no comprueban la autorizaci\u00f3n necesaria de las entidades implicadas en la consulta. Se ha encontrado que un usuario no autorizado puede manipular una UDF existente sin tener los privilegios para hacerlo. Esto permit\u00eda a usuarios no autorizados o poco privilegiados soltar y volver a crear UDFs que apuntaban a nuevos tarros que pod\u00edan ser potencialmente maliciosos"}], "id": "CVE-2021-34538", "lastModified": "2024-11-21T06:10:37.843", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-07-16T07:15:08.530", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/oqqgnhz4c6nxsfd0xstosnk0g15f7354"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/oqqgnhz4c6nxsfd0xstosnk0g15f7354"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "security@apache.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-306"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}